Haupt-Navigation

Inhalt des Dokuments

CVE-2010-0624: Heap-based buffer overflow in GNU Tar and GNU Cpio

BACKGROUND

GNU Tar and GNU Cpio are popular programs for managing archivefiles. Both programs are included in many linux distributions. GNU Taris commonly used for exchanging source code archives.

Both programs include a client implementation for the remote mag tapeprotocol (rmt). This protocol allows accessing a tape device attachedto a remote system via a rsh/ssh. It can also be used toextract/create archive files on another system directly using Tar/Cpio(although using rmt for accessing remote files is deprecated).

The function first writes to the server how many bytes it wants toread using sprintf() and do_command(). Then it reads the number ofbytes available into the variable status using get_status(). In thefor loop, the function reads status bytes from the server into thebuffer. However, it doesn't check whether status is actually less thanor equal the length of the buffer given by the parameter length. So amalicious rmt server can overwrite data on the heap following thebuffer. Successful exploitation of this bug could possibly lead toarbitrary code execution.

EXPLOIT VECTORS

The problem can be exploited when using an untrusted/compromised rmtserver. The impact is fairly low since rmt is rarely used today andthe rmt server is in most cases considered trustworthy.

However, this vulnerability can also be triggered when trying toextract a tar file with a colon in the filename. In this case, tarinterprets the part before the colon as a hostname (or user@hostname)and opens a rsh connection to this host. This may also be exploited ifthe user uses the aunpack script from atool [1] to extract a tarfile. Many users of GNU Tar or atool don't know that rmt exists andthat tar treats filenames containing a colon differently. So a usermight run tar or aunpack on a file which he has received via email ordownloaded from a web page. Many users enter filenames using bashauto-completion and thus might not even notice that there is anythingwrong with the filename.

For Cpio, this attack vector does not work since Cpio requires theoption --rsh-command to use rmt. Tar has compiled in the default value"/usr/bin/rsh".

It is also possible that there are scripts out there whichautomatically call Tar to extract a file with a name provided by anuntrusted source. If the script passes the filename with an (absoluteor relative) path or uses the --force-local option, this problem canbe avoided

Notes on rsh/ssh:

GNU Tar uses /usr/bin/rsh to execute the rmt server implementation(/usr/bin/rmt) on the server. On most modern linux systems/usr/bin/rsh is just a symlink to ssh. So an attempt to exploit thisvulnerability might make ssh ask the user whether to add a new key tothe known_hosts file. This gives users the possibility to cancel theprogram and thus prevent successful exploitation. However, the problemcan still be exploited if the attacker has compromised a machine whichis already in the users known_hosts file or if the user has setStrictHostKeyChecking to "no" in his ssh configuration.

WORKAROUND

Do not use the integrated rmt client of GNU Tar/Cpio if the rmt serveris untrusted or potentially compromised. Always check that thefilename doesn't contain a colon when extracting tar files or use the--force-local option.

SOLUTION

Upgrade GNU Tar to version 1.23 and GNU Cpio to version 2.11.

Some Linux Distributions are going to release upgrades packages today or in the next few days.

DISCLOSURE TIMELINE

2010/02/12: Vendor and major Linux Distributions notified2010/03/10: Public disclosure

Credit

This vulnerability has been discovered by Jakob Lell from the TU Berlin computer security working group (AGRS).